I am still quite new to the security field and someone asked me yesterday the question: "How much cost a pentest?". Althought the answer to this question is obviously "it depends", I realized I couldn't even answer with a price range.

In addition, I was recently listening to a pentest security course and the teacher frequently mentioned that there are 2 kinds of pentesters: those who run Nessus and give the report they got and those who do it properly. So the following questions relate to a quality pentest, not just running a tool and printing the report.

For these 3 scenarios, what would be the effort (number of people, time) and the cost for a good test? I didn't give more details about these companies because we always have to give a price range without knowing much...

1) Small company of 10 employees.2) A mid-size company of 100 employees.3) A large company of 2000 employees.

the variables are not the size of the company and number of employees. its about number of active hosts with number of active/running applications. the second part you got almost right: what if i do the first one with 5 employees and complete it in 1 day?

i'd do it like this (for an external scan):

number of servers/systemsthis may vary from 1 to about 10(?), if it gets any bigger id do a pilot on a set of servers that are representative for the whole infrastructure.

number of active/running servicesthis may also vary a lot. if there is one active service (dedicated mail server for example) it takes a lot less effort to thorough scan the server. this however should be tested completely for vulnerabilities. what about custom build applications? do they require code review?

number of resourceshow many people do you put on the job? this one goes with the next one:

number of dayshow fast does the pentest have to be completed? this factor influences the resources factor.

there are a lot of other factors that influence the outcome of a price for a penetration test. i sure cant give you an accurate guess...anybody else?

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

Unless there is a real emergency for a pentest, I would think the client will find it "too easy" if things can get done in 1 or 2 days. Also, it may be hard to bill $3000/day for pentesting. Regardless if the contract is per diem or per assignment, the client will do the math. Don't you think?

on an average you can expect to be paid around $15,000 to $ 45,000 per assignment.

You mention the client doing the math even if the job is per assignment...

I have been in this situation as well and have to let the client know that I have experience in and licenses for specialized software their staff does not. This is a huge factor in the cost.

One thing that helps on a contract job is to get the client to allow a scope of internal/external testing that varies over a couple of weeks. One person I know intentionally overlaps pentest clients (when work is plentiful). Inevitably, while a pentest is going on, every IT problem is blamed on the test (even if only one or two people know about it). He says he lets them call a couple of times about "problems he's caused" before he's ever probed the network. He says it helps settle the client down before he actually touches anything. Claims he's still doing company fingerprinting during that time (and he may actually be, but most of the time he's finishing reports from a prior test).

This helps to:1. Prevent the client from thinking you can do it all in one day.2. Prevent the client from blaming perceived IT problems on the pentest.

Hope this makes sense/helps. As far as cost goes, the cost depends most on the scope of the test. A test that includes internal code review as opposed to simply fuzzing a web server will obviously cost more. The second important factor (particularly in the current economy) is what match of test scope (value) to price ratio makes sense for the company. Unless the company has specific compliance issues to address, you can sell the need for the most comprehensive test available (and they can believe the need 100%) but they won't bite if it doesn't make financial sense.

That's a tough question to answer. I'd say a truly expert contract pen tester could draw in that much or more per day with no problem, but you are really comparing apples and oranges.

In my experience, when we hire a DB programmer or systems engineer it is to complete tasks on some project we are working. The contract workers give some estimate of time expected to complete, but actual completion time depends on a number of factors that might not be clear until they actually start the project.

When you negotiate a pentest, you have negotiated to complete a specific scope of work (test X services on X servers, etc). I have never been engaged in an open ended penetration test. The penetration test is normally billed on a project basis, not an hourly or daily basis.

To put a price on it though, I would have no problem charging (or paying, if I needed to) $500-1000 per day to a contractor for expert penetration testing services. In my experience, anything under $80/hr is a deal for expert contracting services, $100-120 is about average, and anything more than $150 had better bring something darn special to the table.

That being said, I view a pentest much more like outsourcing a module of code to be written. I spec out what needs to be written, a contractor submits a bid, I hire, pay, and get the code. I don't care how many man hours it takes for them to do it (as long as it is delivered on the agreed upon schedule).

i see that a little different. its true you have to have more knowledge about security/tools/methods then testers in other fields, but thats just part of the game. i dont see that as a reason to pay somebody more. thats like paying a garbage man per kilo of garbage he has picked up. if one is on a route that has more garbage, he shouldnt get paid more. a garbage man is a garbage man, just like a security/penetration tester is the same as a application tester.

on price thats just a different story. it depends on things like offer and demand. but when i look at the prices mentioned here i think thats pretty accurate (even though its more like a 1000$ then 500$).

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

the pentester needs to know more things than a system architect and therefore, should get more $$

Is the more things you have to know in order to perform a given job, the more difficult it is to find a person like that. In other words, the offer becomes lower and lower. Therefore, salary tend to rise a bit.

the pentester needs to know more things than a system architect and therefore, should get more $$

Is the more things you have to know in order to perform a given job, the more difficult it is to find a person like that. In other words, the offer becomes lower and lower. Therefore, salary tend to rise a bit.

But thank you for your answers!

if thats the case then its true. like i said its a offer and demand thing. so when they ask a little more, they should get it.

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

I'm coming in late, to this one, as work's been crazy busy this past week... that said -

There are too many variables to give a 'flat rate,' at least if you're a smaller shop, doing this type of work. Companies like Core are coming around, and offering some very nice prices for smaller gigs, and you really need to be able to compete, so you'll need to look at the market in your area, scope of the test, the depth of products / services you need to evaluate in the test, the number of machines, the time involved, etc. You need to intelligently come up with some pricing that takes EACH of these into account, and have a price schedule you can work from, accordingly, to determine the cost of any given engagement. I can't count on both hands and feet the number of engagements, in the last year, where I've custom quoted pricing (and gotten the engagement over other firms) because I've been more flexible, and not come with a set price.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

I am not ready to do pentests now. In a couple of years, if things go well, I know enough to do a good job (hopefully!!!).

Other then trying very hard to get experience by working with established professionals, when I will start, I will probably ask a bit less then all the others in order to build my name...

I currently own a company, but I am more in web development than anything else right now. But I do know how a business works. I will try to start doing partnership or work for another company just to see how this pentest business works.

Anyway, as i said, I still have a few years ahead of me and I know that patience is gold!